PYTHON-5432 Use ECR instead of artifactory

Author: blink1073

README.md

@@ -26,7 +26,7 @@ used with the `gh` cli.
 
 There is a common setup action that is meant to be run before all
 other actions.  It handles fetching secrets from AWS Secrets Manager,
-signing into Artifactory, setting up Garasign credentials, and
+signing into ECR, setting up Garasign credentials, and
 setting up environment variables used in other actions.
 The action requires `id-token: write` permissions.
 
@@ -45,9 +45,8 @@ The action requires `id-token: write` permissions.
 > `actions/checkout action`
 >
 > The following keys MUST be defined in the ``AWS_SECRET_ID`` vault:
-> `artifactory-username`, `artifactory-password`, `garasign-username`
-> `garasign-password`, `gpg-key-id`.  If uploading to an S3 bucket, also define
-> `release-assets-bucket`.
+> `garasign-username`, `garasign-password`, `gpg-key-id`.
+> If uploading to an S3 bucket, also define `release-assets-bucket`.
 
 ## Signing tools
 

bump-version/action.yml

@@ -16,8 +16,11 @@ inputs:
   working_directory:
     description: The working directory for the version bump
     default: "."
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
   artifactory_image:
-    description: "Image to use for artifactory"
+    description: "(deprecated) Image to use for artifactory"
     default: release-tools-container-registry-local/garasign-git
 
 runs:
@@ -36,10 +39,10 @@ runs:
         export COMMIT_MESSAGE=$(echo "${{ inputs.commit_template }}" | envsubst)
         echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_ENV
     - name: Commit the version bump
-      uses: mongodb-labs/drivers-github-tools/git-sign@v2
+      uses: blink1073/drivers-github-tools/git-sign@PYTHON-5432
       with:
         command: git commit -a -m \"${{ env.COMMIT_MESSAGE }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }}
-        artifactory_image: ${{ inputs.artifactory_image }}
+        ecr_repository: ${{ inputs.ecr_repository }}
     - name: Push the commit to the source branch
       shell: bash -eux {0}
       run: |

create-branch/action.yml

@@ -23,10 +23,13 @@ inputs:
   release_workflow_path:
     description: The path to the release workflow file
     default: .github/workflows/release.yml
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
+  # Unused inputs, to be removed in V3.
   artifactory_image:
     description: Image to use for artifactory
     default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local
-  # Unused inputs, to be removed in V3.
   sbom_file_path:
       description: The path of the sbom-lite file
       default: sbom.json
@@ -43,11 +46,11 @@ runs:
         SBOM_FILE_PATH: ${{ inputs.sbom_file_path }}
         RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }}
         EVERGREEN_PROJECT: ${{ inputs.evergreen_project }}
-        ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
       run: ${{ github.action_path }}/create-branch.sh
     - uses: mongodb-labs/drivers-github-tools/bump-version@v2
       with:
         version: ${{ inputs.version }}
         version_bump_script: ${{ inputs.version_bump_script }}
         commit_template: "Prep branch ${{ inputs.branch_name }}"
-        push_commit: ${{ inputs.push_changes }}
+        push_commit: ${{ inputs.push_changes }}
+        ecr_repository: ${{ inputs.ecr_repository }}

full-report/action.yml

@@ -39,7 +39,7 @@ runs:
   using: composite
   steps:
     - name: Generate Authorized Publication Report
-      uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+      uses: blink1073/drivers-github-tools/authorized-pub@PYTHON-5432
       with:
         product_name: ${{ inputs.product_name }}
         release_version: ${{ inputs.release_version }}
@@ -48,19 +48,19 @@ runs:
     - name: Generate SBOM File
       # not all packages have third party dependencies, and so not all packages integrate with silk.
       if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }}
-      uses: mongodb-labs/drivers-github-tools/sbom@v2
+      uses: blink1073/drivers-github-tools/sbom@PYTHON-5432
       with:
         silk_asset_group: ${{ inputs.silk_asset_group }}
         sbom_file_name: ${{ inputs.sbom_file_name }}
         kondukto_sub_project: ${{ inputs.kondukto_sub_project }}
         sbom_in_path: ${{ inputs.sbom_in_path }}
     - name: Generate Sarif File
-      uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+      uses: blink1073/drivers-github-tools/code-scanning-export@PYTHON-5432
       with:
         ref: ${{ inputs.sarif_report_target_ref || inputs.release_version }}
         output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
     - name: Generate Compliance Report
-      uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+      uses: blink1073/drivers-github-tools/compliance-report@PYTHON-5432
       with:
         release_version: ${{ inputs.release_version }}
         security_report_location: ${{ inputs.security_report_location }}

git-sign/action.yml

@@ -4,20 +4,23 @@ inputs:
   command:
     description: "Command to run inside the container"
     required: true
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
   artifactory_image:
-    description: "Image to use for artifactory"
+    description: "(deprecated) Image to use for artifactory"
     default: release-tools-container-registry-local/garasign-git
 
 runs:
   using: composite
   steps:
     - name: "Run git command"
       run: |
-        podman run \
+        docker run \
           --env-file=$GARASIGN_ENVFILE \
           --rm \
           -v $(pwd):$(pwd) \
           -w $(pwd) \
-          ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
+          ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \
           /bin/bash -c "gpgloader && ${{ inputs.command }}"
       shell: bash

gpg-sign/action.yml

@@ -4,8 +4,11 @@ inputs:
   filenames:
     description: "File name(s) to sign, can be a glob pattern"
     required: true
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
   artifactory_image:
-    description: "Image to use for artifactory"
+    description: "(deprecated) Image to use for artifactory"
     default: release-tools-container-registry-local/garasign-gpg
 
 runs:
@@ -24,12 +27,12 @@ runs:
     - name: "Create detached signature for file"
       shell: bash
       run: |
-        podman run \
+        docker run \
           --env-file=$GARASIGN_ENVFILE \
           --rm \
           -v $(pwd):$(pwd) \
           -w $(pwd) \
-          ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
+          ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \
           /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done'
 
     - name: "Move the signature files to the release directory"

python/post-publish/action.yml

@@ -70,15 +70,15 @@ runs:
           echo "VERSION=$VERSION" >> $GITHUB_ENV
         fi
     - name: Create detached signature for dist files
-      uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+      uses: blink1073/drivers-github-tools/gpg-sign@PYTHON-5432
       with:
         filenames: dist/*
     - name: Get the evergreen commit
       id: evergreen-commit
       shell: bash
       run: |
         echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
-    - uses: mongodb-labs/drivers-github-tools/full-report@v2
+    - uses: blink1073/drivers-github-tools/full-report@PYTHON-5432
       with:
         product_name: ${{ inputs.product_name }}
         release_version: ${{ env.VERSION }}
@@ -90,7 +90,7 @@ runs:
         evergreen_project: ${{ inputs.evergreen_project }}
         evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }}
         token: ${{ inputs.token }}
-    - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+    - uses: blink1073/drivers-github-tools/upload-s3-assets@PYTHON-5432
       with:
           version: ${{ env.VERSION }}
           product_name: ${{ inputs.product_name }}
@@ -121,7 +121,7 @@ runs:
         git clean -dffx
         git pull origin ${GITHUB_REF}
     - name: Set following version
-      uses: mongodb-labs/drivers-github-tools/bump-version@v2
+      uses: blink1073/drivers-github-tools/bump-version@PYTHON-5432
       if: inputs.dry_run == 'false'
       with:
           version: ${{ steps.publish-script.outputs.following_version }}

python/pre-publish/action.yml

@@ -63,15 +63,15 @@ runs:
           echo "VERSION=$VERSION" >> $GITHUB_ENV
         fi
     - name: Set version
-      uses: mongodb-labs/drivers-github-tools/bump-version@v2
+      uses: blink0173/drivers-github-tools/bump-version@PYTHON-5432
       if: ${{ inputs.version }}
       with:
         version: ${{ env.VERSION }}
         version_bump_script: ${{ inputs.version_bump_script }}
         working_directory: ${{ inputs.working_directory }}
         push_commit: ${{ env.PUSH_CHANGES }}
     - name: Tag version
-      uses: mongodb-labs/drivers-github-tools/tag-version@v2
+      uses: blink0173/drivers-github-tools/tag-version@PYTHON-5432
       with:
         version: ${{ env.VERSION }}
         tag_template: ${{ inputs.tag_template }}

sbom/action.yml

@@ -10,10 +10,13 @@ inputs:
   kondukto_sub_project:
     description: The Kondukto sub-project name (appended to the branch name)
     required: false
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/silkbomb:2.0
+  # No longer used, to be removed in V3.
   artifactory_image:
     description: Image to use for artifactory
     default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
-  # No longer used, to be removed in V3.
   silk_asset_group:
     description: The Silk Asset Group for the Project
     required: false
@@ -26,7 +29,7 @@ runs:
       env:
         SBOM_IN_PATH: ${{ inputs.sbom_in_path }}
         KONDUKTO_SUB_PROJECT: ${{ inputs.kondukto_sub_project }}
-        ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
+        ECR_REPOSITORY: ${{ inputs.ecr_repository }}
         SBOM_FILE_NAME: ${{ inputs.sbom_file_name }}
       run: |
         set -eu
@@ -37,14 +40,14 @@ runs:
         fi
         echo "Generating SBOM file for ${KONDUKTO_BRANCH}..."
         echo "Updating SBOM file..."
-        podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
+        docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
           --env-file=${KONDUKTO_ENVFILE} \
-          ${ARTIFACTORY_IMAGE} \
+          ${ECR_REGISTRY}/${ECR_REPOSITORY} \
           update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number
         echo "Augumenting SBOM file..."
-        podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
+        docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
           --env-file=${KONDUKTO_ENVFILE} \
-          ${ARTIFACTORY_IMAGE} \
+          ${ECR_REGISTRY}/${ECR_REPOSITORY} \
           augment --sbom-in /pwd/cyclonedx.sbom.json --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json
         cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${SBOM_FILE_NAME}
         echo "Generating SBOM file for ${KONDUKTO_BRANCH}... done."

setup/action.yml

@@ -10,10 +10,13 @@ inputs:
   aws_secret_id:
     description: "The name of the aws secret to use"
     required: true
+  ecr_registry:
+    description: "The ECR registry to use"
+    default: "901841024863"
   artifactory_username:
-    description: "The artifactory username to be used"
+    description: "(deprecated) The artifactory username to be used"
   artifactory_registry:
-    description: "Artifactory registry to be used"
+    description: "(deprecated) Artifactory registry to be used"
     default: artifactory.corp.mongodb.com
 
 runs:
@@ -25,6 +28,10 @@ runs:
       role-to-assume: ${{ inputs.aws_role_arn }}
       role-session-name: release-session
       aws-region: ${{ inputs.aws_region_name }}
+  - name: Log in to ECR
+    uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
+    with:
+      registries: "${{ inputs.ecr_registry }}"
   - name: Read secrets from AWS Secrets Manager into environment variables
     uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 # v2
     with:
@@ -36,7 +43,5 @@ runs:
     id: setup
     run: ${{ github.action_path }}/setup.sh
     env:
-      ARTIFACTORY_USERNAME_INPUT: ${{ inputs.artifactory_username }}
-      ARTIFACTORY_REGISTRY: ${{ inputs.artifactory_registry }}
-      ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
       AWS_SECRET_ID: ${{ inputs.aws_secret_id }}
+      ECR_REGISTRY: ${{ inputs.ecr_registry }}